Microsoft’s September Patch Tuesday offering contained 80
updates with 17 being rated critical including taking care of two zero days actively
exploited in the wild.

Overall, 57 CVEs
were issued for Windows 10 and 29 CVEs for the older Microsoft operating
systems and Office and SharePoint also received some updates.

CVE-2019-1214 and CVE-2019-1215 are zero days, but despite initially being reported by Microsoft as under attack, are not being exploited in the wild. The former is a vulnerability in the Common Log File System (CLFS) driver and the fix addresses the vulnerability by correcting how CLFS handles objects in memory. The latter applies to the Winsock driver and the update addresses the vulnerability by ensuring that ws2ifsl.sys properly handles objects in memory. Microsoft noted that to exploit these vulnerabilities an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

“These impact all supported versions of Windows, and
patching should be prioritized, said Jimmy Graham, Qualys’ senior director of product
management.

Satnam Narang, senior research engineer at Tenable, pointed
out additional critical issues in Remote Desktop Client that should be at the
top of all IT administrators list, CVE-2019-1290,
CVE-2019-1291, CVE-2019-0787 and CVE-2019-0788. Microsoft’s revelation of these
four issues in Remote Desktop Client follows the release of fixes for BlueKeep in
May and DejaBlue in August, but the new flaws are exploited differently.

“Unlike BlueKeep and DejaBlue, where attackers target
vulnerable Remote Desktop servers, these vulnerabilities require an attacker to
convince a user to connect to a malicious Remote Desktop server. Attackers
could also compromise vulnerable servers and host malicious code on them and wait
for users to connect to them,” Narang said.

Graham also highlighted CVE-2019-1257, CVE-2019-1295, and
CVE-2019-1296 for SharePoint as priorities as one involves uploading a
malicious application package, while the other two are deserialization
vulnerabilities in the SharePoint API.

Chris Goettl, director of product management, security for Ivanti
brought up an issue with the September roll out that fell outside the security
area, but are indicative of some upcoming changes that IT admins need be aware.

“A couple of things to note about Servicing Stack Updates. They are rated as critical but are not resolving security vulnerabilities. They are also not part of the cumulative update chain. They are a separate update that needs to be installed outside of the normal cumulative or security only bundle. This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot update the Windows updates on the system if the Servicing Stack update is not applied,” he said.